From: THOBY Simon <Simon.THOBY@viveris.fr>
To: "zohar@linux.ibm.com" <zohar@linux.ibm.com>,
"dmitry.kasatkin@gmail.com" <dmitry.kasatkin@gmail.com>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
BARVAUX Didier <Didier.BARVAUX@viveris.fr>
Cc: THOBY Simon <Simon.THOBY@viveris.fr>
Subject: [PATCH v4 0/5] IMA: restrict the accepted digest algorithms for
Date: Tue, 27 Jul 2021 16:33:33 +0000 [thread overview]
Message-ID: <20210727163330.790010-1-simon.thoby@viveris.fr> (raw)
IMA protects files by storing a hash (or a signature thereof) of their
content in the security.ima xattr. While the security.ima xattr itself
is protected by EVM with either a HMAC or a digital signature, no
mechanism is currently in place to ensure that the security.ima xattr
was generated with a strong digest algorithm, as was outlined in
https://lore.kernel.org/linux-integrity/10dde047d76b447f32ca91356599be679b8a76e5.camel@linux.ibm.com/t/#m0f8127c6982ef94aa42f5cc13ea83b9f9000917e
One important point is safeguarding users from mislabelling their
files when using userland utilities to update their files, as this
is the kind of behavior one can observe with evmctl (`evmctl ima_hash`
defaults to sha1). Another group that may be interested is those
that have deployed IMA years ago, possibly using algorithms that
was then deemed sufficiently collision-resistant, but that proved
to be weak with the passage of time (note that this could also
happen in the future with algorithms considered safe today).
This patch provides a migration path of sorts for these users.
This patch series gives users the ability to restrict the algorithms
accepted by their system, both when writing/updating xattrs, and
when appraising files, while retaining a permissive behavior by default
to preserve backward compatibility.
To provide these features, alter the behavior of setxattr to
only accept hashes built in the kernel, instead of any hash listed
in the kernel (complete list crypto/hash_info.c). In addition, the
user can define in his IMA policy the list of digest algorithms
allowed for writing to the security.ima xattr. In that case,
only algorithms present in that list are accepted for writing.
In addition, users may opt-in to whitelisting the hash
algorithms accepted when appraising thanks to the new
"appraise_hash" IMA policy option.
By default IMA will keep accepting any hash algorithm, but specifying
that option will make appraisal of files hashed with another algorithm
fail.
Even when using this option to restrict accepted hashes, a migration
to a new algorithm is still possible. Suppose your policy states you
must migrate from 'old_algo' (e.g. sha1) to 'new_algo' (e.g. one of
sha256/384/512). You can upgrade without relaxing the hash requirements:
alter your policy rules from 'appraise_hash=old_algo' to
'appraise_hash=old_algo,new_algo', update the "ima_hash" parameter to
'new_algo', reboot, relabel all your files with 'new_algo', alter your
policy_rule from 'appraise_hash=old_algo,new_algo' to
'appraise_hash=new_algo', reboot again and you're done.
Agreed, it's quite a lot of churn - I don't know if this can be reduced -
but this is technically doable.
This series is based on the following repo/branch:
repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
branch: master
commit ff1176468d368232b684f75e82563369208bc371 ("Linux 5.14-rc3")
Changelog since v3:
- fixed an issue where the first write to the policy would ignore the
SETXATTR_CHECK attribute
- fixed potential concurrency issues (I would greatly like external
opinions on this, because I clearly don't know much about RCU. Beside
maybe it's better to completely ignore the duplicates SETXATTR_CHECK
issue and not update the IMA policy in any case)
- remove the CONFIG_CRYPTO_MD5 requirement for IMA (suggested by Mimi Zohar)
- updated commit messages to follow more closely the kernel style guide
(suggested by Mimi Zohar)
- moved the hash verification code on appraisal a bit later, to prevent
issues when using the code with IMA in a disable/auditing mode
(suggested by Mimi Zohar)
- limit the 'appraise_hash' parameter to the 'appraise' action
(suggested by Mimi Zohar)
Changelog since v2:
- remove the SecureBoot-specific behavior (suggested by Mimi Zohar)
- users can now tweak through policy both the algorithms for
appraising files (a feature already present in v2) and for writing
with the new SETXATTR_CHECK value for the 'func' ima policy flag
- updating 'forbidden-hash-algorithm' to 'denied-hash-algorithm' and
'unsupported-hash-algorithm' to disambiguate cases when the user
asked for an algorithm not present in the kernel and when the system
vendor explicitly opted in to a restricted list of accepted
algorithms (suggested by Mimi Zohar)
- change the order of the patches to be bisect-safe while retaining
the guarantee that a policy cannot be accepted but not enforced
(suggested by Mimi Zohar)
Changelog since v1:
- Remove the two boot parameters (suggested by Mimi Zohar)
- filter out hash algorithms not compiled in the kernel
on xattr writes (suggested by Mimi Zohar)
- add a special case when secure boot is enabled: only the
ima_hash algorithm is accepted on userland writes
- add a policy option to opt-in to restricting digest algorithms
at a per-rule granularity (suggested by Mimi Zohar)
Simon Thoby (4):
IMA: block writes of the security.ima xattr with unsupported
algorithms
IMA: add support to restrict the hash algorithms used for file
appraisal
IMA: add a policy option to restrict xattr hash algorithms on
appraisal
IMA: introduce a new policy option func=SETXATTR_CHECK
Simon Thoby (4):
IMA: block writes of the security.ima xattr with unsupported
algorithms
IMA: add support to restrict the hash algorithms used for file
appraisal
IMA: add a policy option to restrict xattr hash algorithms on
appraisal
IMA: introduce a new policy option func=SETXATTR_CHECK
Simon Thoby (5):
IMA: remove the dependency on CRYPTO_MD5
IMA: block writes of the security.ima xattr with unsupported
algorithms
IMA: add support to restrict the hash algorithms used for file
appraisal
IMA: add a policy option to restrict xattr hash algorithms on
appraisal
IMA: introduce a new policy option func=SETXATTR_CHECK
Documentation/ABI/testing/ima_policy | 15 ++-
security/integrity/ima/Kconfig | 1 -
security/integrity/ima/ima.h | 10 +-
security/integrity/ima/ima_api.c | 6 +-
security/integrity/ima/ima_appraise.c | 79 +++++++++++-
security/integrity/ima/ima_main.c | 19 ++-
security/integrity/ima/ima_policy.c | 168 +++++++++++++++++++++++++-
7 files changed, 278 insertions(+), 20 deletions(-)
--
2.31.1
next reply other threads:[~2021-07-27 16:33 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-27 16:33 THOBY Simon [this message]
2021-07-27 16:33 ` [PATCH v4 1/5] IMA: remove the dependency on CRYPTO_MD5 THOBY Simon
2021-07-27 17:57 ` Mimi Zohar
2021-07-27 16:33 ` [PATCH v4 2/5] IMA: block writes of the security.ima xattr with unsupported algorithms THOBY Simon
2021-07-27 20:32 ` Mimi Zohar
2021-07-28 7:00 ` THOBY Simon
2021-07-28 12:43 ` Mimi Zohar
2021-07-28 12:53 ` THOBY Simon
2021-07-28 13:09 ` Mimi Zohar
2021-07-27 16:33 ` [PATCH v4 3/5] IMA: add support to restrict the hash algorithms used for file appraisal THOBY Simon
2021-07-27 20:38 ` Mimi Zohar
2021-07-27 16:33 ` [PATCH v4 4/5] IMA: add a policy option to restrict xattr hash algorithms on appraisal THOBY Simon
2021-07-27 21:07 ` Mimi Zohar
2021-07-27 16:33 ` [PATCH v4 5/5] IMA: introduce a new policy option func=SETXATTR_CHECK THOBY Simon
2021-07-27 17:25 ` Mimi Zohar
2021-07-27 17:58 ` THOBY Simon
2021-07-27 17:47 ` [PATCH v4 0/5] IMA: restrict the accepted digest algorithms for Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210727163330.790010-1-simon.thoby@viveris.fr \
--to=simon.thoby@viveris.fr \
--cc=Didier.BARVAUX@viveris.fr \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).